Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Comprehensive provisions for notifications 
  • Limited methods of notification delivery
  • Vendors must report breaches to HI data owners.  HI data owners are responsible for reporting and notifications
  • State of Hawaii's office of consumer protection and all consumer reporting agencies may need to be notified
  • Violations can result in penalties and liability for injuries
  • Laws additionally cover data protection, data disposal, and record retention 
  • Other state or federal laws, industry regulations, and/or out-of-country laws may apply

Who Me?


Hawaii breach and notification laws may apply if you:

  • Are a business that owns or licenses PII data of an HI resident 
  • Do business in HI and own or license PII in any form
  • Are a government agency that collects personal information for specific government purposes
  • Are a business located in HI or doing business in HI or government agency that maintains or possesses PII but does not own or license it

 There are exemptions.

What is PII?


PII relevant to a breach in Hawaii include a person's name plus one of the following:

  • Social Security Number
  • Driver license or Hawaii identification card number
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's financial account



A few of these laws include, but are not limited to:

  • HRS, Division 1. Government / Title 26. Trade Regulation and Practice / Chapter 487N - Security Breach of Personal Information
  • Hawaii State Department of Education:  Guidelines for Notification of Security Breaches of Personal Information


A few of these laws include, but are not limited to:

  • HRS, Division 1. Government / Title 26. Trade Regulation and Practice / 487 - Consumer Protection / 487-1&2, 487-9, and
    • 487D – Retail Merchant Club Cards
    • 487J – Personal Information Protection
    • 487R – Destruction of Personal Information Records
    • 489E – Uniform Electronic Transactions Act
  • HAR, Title 16, Chapter 54-Personal Records



Violations are subject to penalty of up to $2,500 each and liable to the injured party in an amount equal to the sum of any actual damages. The attorney general or the executive director of the office of consumer protection may bring an action, but not against a government agency.



When considering reporting requirements, it would include, but not be limited to:

  • The combination of personal information breached
  • If any elements of the personal information were encryption or redacted
  • Whether the encryption key, password, or confidential process were accessed
  • If illegal use of the personal information has or may occur
  • If it creates a risk of harm to a person


Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. In Hawaii, all notifications must be made without unreasonable delay, unless law enforcement advises in writing that it will impede a criminal investigation.


Requires detailed information and potential provision of services

Disclosure may only be made by written notice, telephone or electronically with stipulations. A substitute notice, with specific requirements, may be used if the person demonstrates that the cost of providing the notice would exceed $100,000 or the persons to be notified exceeds 200,000, they do not have sufficient contact information, or it is not possible to identify particular affected persons.

Contact the Privacy Experts at CSR